Use the ReadFromDirectory statement to initialize Policy Agent as an LDAP client. The policies are downloaded from the LDAP server, along with the policies specified in this Policy Agent configuration file (the current one being used by Policy Agent that contains this statement). All the policies are installed to the appropriate TCP images.
You can use a set of sample files to help set up the LDAP server and populate it with policies. These files reside in the /usr/lpp/tcpip/samples directory.
Requirement: These files must be installed on the LDAP server as a subschema of the cn=schema object by using the command.
See the prologs in these sample files and z/OS Communications Server: IP Configuration Guide for more information.
Tip: These policies are not intended to be used as shipped, but they can be copied to a custom set (defined in pagent.ldif) and modified as needed.
For more information about how to use LDAP and for other LDAP references, see Understanding LDAP (SG24–4986).
>>-ReadFromDirectory--| Place Braces and Parameters on Separate Lines |->< Place Braces and Parameters on Separate Lines |--+-{--------------------------------+-------------------------| +-| ReadFromDirectory Parameters |-+ '-}--------------------------------' ReadFromDirectory Parameters .-LDAP_Server --127.0.0.1-. .-LDAP_Port --389--. |--+-------------------------+--+------------------+------------> '-LDAP_Server --address---' '-LDAP_Port --port-' >--+-----------------------------+------------------------------> '-LDAP_BackupServer --address-' .-LDAP_BackupPort --389--. >--+------------------------+-----------------------------------> '-LDAP_BackupPort --port-' >--+---------------------------------------------------------+--> '-LDAP_DistinguishedName --string--LDAP_Password --string-' .-LDAP_SessionPersistent --No-----. >--+---------------------------------+--------------------------> '-LDAP_SessionPersistent--+-Yes-+-' '-No--' .-LDAP_ProtocolVersion --3----. >--+-----------------------------+------------------------------> '-LDAP_ProtocolVersion----3---' .-LDAP_SchemaVersion --3----. >--+---------------------------+--+---------------+-------------> '-LDAP_SchemaVersion--+-1-+-' '-Base --string-' +-2-+ '-3-' >--+---------------------------+--------------------------------> '-LDAP_SelectedTag --string-' >--+-----------------------------+------------------------------> '-SearchPolicyBaseDN --string-' >--+-----------------------------------+------------------------> | .-------------------------------. | | V | | '---SearchPolicyKeyword --keyword-+-' >--+-----------------------+------------------------------------> | .-------------------. | | V | | '---PolicyRole --role-+-' >--+---------------------------------------+--------------------> | .-----------------------------------. | | V | | '---SearchPolicyGroupKeyWord --string-+-' >--+--------------------------------------+---------------------> | .----------------------------------. | | V | | '---SearchPolicyRuleKeyWord --string-+-' .-LDAP_AbstractPolicy --Yes----. >--+------------------------------+-----------------------------> | .-Yes-. | '-LDAP_AbstractPolicy--+-No--+-' >--LDAP_SSL--| Place Braces and Parameters on Separate Lines |--| Place Braces and Parameters on Separate Lines |--+-{-----------------------+----------------------------------| +-| LDAP_SSL Parameters |-+ '-}-----------------------' LDAP_SSL Parameters |--LDAP_SSLKeyringFile --filename-------------------------------> >--+------------------------------------+-----------------------> '-LDAP_SSLKeyringPassword --password-' >--+-----------------------+------------------------------------| '-LDAP_SSLName --string-'
Restriction: Case sensitivity of this attribute is determined by the LDAP server.
Requirement: This is required when using schema Version 1 only.
Restriction: This is allowed only when using schema Version 1.
Requirement: This attribute is only allowed, and is required, if LDAP_SchemaVersion 2 or higher is specified.
Guideline: Case-sensitivity of this attribute is determined by the LDAP server.
Restriction: This attribute is valid only with LDAP_SchemaVersion 3.
You can specify up to eight instances of this attribute. Specify either a single keyword delimited by blanks or any string containing blanks or other special characters, contained in double quotation marks. For example:SearchPolicyKeyword singleword
SearchPolicyKeyword "quoted string"
Restriction: This parameter is valid only with LDAP_SchemaVersion 3.
PolicyRole role1
PolicyRole &&"quoted role 2"
PolicyRole "quoted role 3"
PolicyRole role4
Use this parameter to filter out policy rules that do not contain any of the specified roles or role-combinations, using the attribute ibm-policyRoles. For example, the set of roles specified in this example result in the retrieval of any policy rules that specify "role1&"ed rule 2" or "quoted role3" or "role4" in their ibm-policyRoles values.
Restriction: This is only needed when client authentication is required.
This attribute is required when LDAP_SSL is specified.Restriction: Some servers do not support client authentication; therefore, this parameter is not used.
ReadFromDirectory
{
Ldap_server ldapserver.mynetwork.com
Ldap_port 9000
Base o=ibm,c=us
Ldap_selectedtag MVS1
}
ReadFromDirectory
{
LDAP_Server 9.11.12.13
LDAP_Port 9000
LDAP_SessionPersistent Yes
LDAP_BackupServer 9.11.22.23
LDAP_BackupPort 555
LDAP_DistinguishedName cn=root, o=IBM, c=US
LDAP_Password secret
LDAP_SchemaVersion 2
LDAP_ProtocolVersion 3
SearchPolicyBaseDN o=ibm, c=us
SearchPolicyGroupKeyword MVSA
SearchPolicyRuleKeyword cherryPicker
SearchPolicyRuleKeyword ripe
}
ReadFromDirectory
{
LDAP_Server ldapv3server
LDAP_BackupServer 10.100.1.5
LDAP_BackupPort 7500
LDAP_DistinguishedName cn=root, o=IBM, c=US
LDAP_Password secret
LDAP_SchemaVersion 3
LDAP_ProtocolVersion 3
LDAP_AbstractPolicy Yes
SearchPolicyBaseDN cn=policy, o=ibm, c=us
SearchPolicyKeyword QoS
SearchPolicyKeyword Diffserv
}